Postfix forwarder - undeliverable to internal mail server?



  • I have followed these instructions for postfix forwarder:

    "remove nat from port 25
    create a wan rule to permit smtp traffic to wan address
    check enable postfix option
    choose at least wan loopback interfaces
    fill your domain/internal smtp info"

    With the exception of "choose at least wan loopback interfaces" - I'm not sure what that means.  In the postfix forwarder configuration, I selected "WAN" for "Listen on."

    So postfix forwarder answers, which is great… but in the logs I see "status=undeliverable" and "Operation timed out" when postfix forwarder tries to deliver mail to my internal mail server.  I know the internal mail server is fine and ready to receive mail.

    Since I disabled the port 25 NAT rule per the first instruction above, do I need to create a new firewall rule which allows postfix forwarder to forward mail to my internal mail server on the LAN?


  • Banned

    See this post



  • @doktornotor:

    See this post

    I think this post is related to postfix forwarder listening?  My postfix forwarder seems to be fine if I enable this rule:

    IPv4 TCP * * WAN address 25 (SMTP) * none

    In other words, when I enable that rule, postfix forwarder answers on port 25.  Confirmed with MxToolbox and sending some sample emails from my Gmail account.

    The problem I'm having is that from looking at /var/log/maillog, it looks like postfix forwarder can't forward mail to my internal mail server.  In postfix forwarder's "Domains" tab I have my domain and my mail server's internal IP configured properly.

    I think I need a rule which allows postfix forwarder to forward mail to my internal mail server?  I took a shot at creating this type of rule (For port 25, from WAN to my internal mail server's IP) and it didn't work.



  • I got rid of my SMTP rules and tried this:

    https://forum.pfsense.org/index.php?topic=70465.0

    Specifically, "Add a WAN NAT rule (with auto f/w rule) for port 25 to 127.0.0.1 and set postfix to listen on loopback."

    Again, postfix forwarder answers fine like it did before.  But it still can't forward mail to my internal mail server.  Here are the logs from /var/log/maillog after a Gmail test:

    Feb 13 11:20:33 pfsense postfix/postscreen[29573]: CONNECT from [209.85.214.53]:36183 to [127.0.0.1]:25
    Feb 13 11:20:33 pfsense postfix/postscreen[29573]: PASS OLD [209.85.214.53]:36183
    Feb 13 11:20:33 pfsense postfix/smtpd[29984]: connect from mail-bk0-f53.google.com[209.85.214.53]
    Feb 13 11:20:33 pfsense postfix/smtpd[29984]: NOQUEUE: reject: RCPT from mail-bk0-f53.google.com[209.85.214.53]: 450 4.1.1 <(MYWORKEMAILADDRESS)>: Recipient address rejected: unverified address: connect to 10.0.1.201[10.0.1.201]:25: Operation timed out; from=<(TESTGMAILADDRESS)> to=<(MYWORKEMAILADDRESS)> proto=ESMTP helo= <mail-bk0-f53.google.com>Feb 13 11:20:34 pfsense postfix/smtpd[29984]: disconnect from mail-bk0-f53.google.com[209.85.214.53]

    In the logs above, "(MYEMAILADDRESS)" is my work email address redacted and "(TESTGMAILADDRESS)" is my Gmail address used to send tests.</mail-bk0-f53.google.com>


  • Banned

    Stop enabling 'sender address verification'.

    http://www.postfix.org/ADDRESS_VERIFICATION_README.html



  • @doktornotor:

    Stop enabling 'sender address verification'.

    http://www.postfix.org/ADDRESS_VERIFICATION_README.html

    Is there an option for that in the postfix forwarder GUI?  I don't see it.  Also, the error in my log is "Recipient address rejected", so I think the problem is postfix forwarder cannot communicate with my internal mail server for some reason and thus cannot check for a valid recipient address.

    In the past, before my firewall running pfsense crapped out and I lost my configuration, postfix forwarder was working fine.  Now I'm starting from a fresh pfsense and for some reason having this trouble with postfix forwarder getting mail to my internal mail server.

    Does there need to be some kind of firewall rule that allows postfix forwarder to forward mail to the internal mail server?


  • Banned

    @dreadnought:

    Does there need to be some kind of firewall rule that allows postfix forwarder to forward mail to the internal mail server?

    Huh? You obviously need to have 10.0.1.201 (or the internal mailserver whatever IP) TCP/25 accessible… extremely easy to test with telnet.



  • On my LAN, 10.0.1.201 is accessible and port 25 answers… the problem is that for some reason postfix forwarder (on my firewall running pfsense) cannot forward mail to it.  If I leave my original NAT rule on for port 25 (any on port 25 to 10.0.1.201) then mail servers are able to hit my internal mail server fine through the firewall... but postfix forwarder is not in the mix in this scenario.

    When I disable that NAT rule (as the postfix forwarder instructions say to do) and add the rule I mentioned above, postfix forwarder answers on port 25, which is great... but mail never gets from postfix forwarder to 10.0.1.201.  I get the error mentioned above, which to me looks like for some reason postfix forwarder cannot "see" or connect to 10.0.1.201.  I'm not sure how else to explain.  Maybe a screenshot of my rules?


  • Banned

    @dreadnought:

    On my LAN, 10.0.1.201 is accessible and port 25 answers…

    Oh really?

    
    unverified address: connect to 10.0.1.201[10.0.1.201]:25: Operation timed out
    
    


  • Right… that's from /var/logs/maillog on the firewall when I'm running postfix forwarder.  i.e. it seems like postfix forwarder cannot hit (forward mail to) 10.0.1.201 for some reason.  I'm trying to determine if a special firewall rule is required to make this happen.  Postfix forwarder is already configured properly to pass email to my domain to 10.0.1.201.  But it's not happening.

    If I'm on my LAN and telnet to port 25 of 10.0.1.201, it answers as expected.



  • dreadnought,

    Just check your basic config against the first post here: https://forum.pfsense.org/index.php?topic=70541.0

    and check that your mail server doesn't have a firewall that prevents postfix from connecting to it (using the pfSense LAN interface address).



  • @biggsy:

    dreadnought,

    Just check your basic config against the first post here: https://forum.pfsense.org/index.php?topic=70541.0

    and check that your mail server doesn't have a firewall that prevents postfix from connecting to it (using the pfSense LAN interface address).

    I've checked very carefully and I think my configuration is fine… I'm starting from a fresh pfsense and postfix forwarder, so I can't figure out what is broken here!  Just in case there is some kind of strange recipient verification thing going on that did not happen before my firewall died and I had to start from scratch, I tried to add my email address in the custom box in postfix forwarder... this didn't seem to work, maybe the function is broken?  In the log:

    "Feb 14 06:33:42 pfsense postfix/postmap[97091]: warning: /usr/pbi/postfix-amd64/etc/postfix/relay_recipients, line 2: expected format: key whitespace value"

    This happens whether I have an empty line after my email address or not in the postfix forwarder "Custom list."  Postfix forwarder kicks back the error "550 5.1.1 <(MYEMAILADDRESS)>: Recipient address rejected: User unknown in relay recipient table" to people who try to email me with this custom recipient configured.

    Anyway, this was all on a tangent anyway.  Much more importantly, this (from an earlier post in this thread) is what I get in what I think is a pretty standard Postfix forwarder configuration:

    "Feb 13 11:20:33 pfsense postfix/postscreen[29573]: CONNECT from [209.85.214.53]:36183 to [127.0.0.1]:25
    Feb 13 11:20:33 pfsense postfix/postscreen[29573]: PASS OLD [209.85.214.53]:36183
    Feb 13 11:20:33 pfsense postfix/smtpd[29984]: connect from mail-bk0-f53.google.com[209.85.214.53]
    Feb 13 11:20:33 pfsense postfix/smtpd[29984]: NOQUEUE: reject: RCPT from mail-bk0-f53.google.com[209.85.214.53]: 450 4.1.1 <(MYWORKEMAILADDRESS)>: Recipient address rejected: unverified address: connect to 10.0.1.201[10.0.1.201]:25: Operation timed out; from=<(TESTGMAILADDRESS)> to=<(MYWORKEMAILADDRESS)> proto=ESMTP helo= <mail-bk0-f53.google.com>Feb 13 11:20:34 pfsense postfix/smtpd[29984]: disconnect from mail-bk0-f53.google.com[209.85.214.53]

    In the logs above, "(MYEMAILADDRESS)" is my work email address redacted and "(TESTGMAILADDRESS)" is my Gmail address used to send tests."

    Hmn… this is interesting.  I just used the pfsense ping diagnostic to ping 10.0.1.201 from the LAN port.  It responded to ping fine.  Then I tried from WAN and localhost.  No ping response.

    Now I'm trying the "Test Port" function:

    Host - 10.0.1.201
    Port - 25
    Source - Localhost
    IP - IPv4

    This results in "Connection failed (Refused/Timeout)" for both source Localhost and WAN.  If I change source to LAN, it works!

    This is making me think even more than there is some kind of rule or setting needed to allow postfix forwarder to forward mail to the internal mail server?

    I'm attaching screenshots of my current rules.  I have the straight through to my mail server rules (which work fine, but no postfix forwarder!) disabled.

    ![Screen Shot 2014-02-14 at 6.32.24 AM.png](/public/imported_attachments/1/Screen Shot 2014-02-14 at 6.32.24 AM.png)
    ![Screen Shot 2014-02-14 at 6.32.24 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-02-14 at 6.32.24 AM.png_thumb)
    ![Screen Shot 2014-02-14 at 6.32.50 AM.png](/public/imported_attachments/1/Screen Shot 2014-02-14 at 6.32.50 AM.png)
    ![Screen Shot 2014-02-14 at 6.32.50 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-02-14 at 6.32.50 AM.png_thumb)</mail-bk0-f53.google.com>



  • You shouldn't need a rule to allow postfix to talk to your mail server.

    Might be time to do a packet capture to see what traffic is flowing between postfix and 10.0.1.201.



  • Ok, I hope to packet capture on the mail server tomorrow.  In the meantime, do you have the "Test Port" functionality in your pfsense implementation?  I'm really curious what happens when you try to test port 25 on your internal mail server from your pfsense LAN, WAN, and localhost interfaces.


  • Banned

    @dreadnought:

    In the meantime, do you have the "Test Port" functionality in your pfsense implementation?

    telnet 10.0.1.201 25
    


  • Have you ensured that you can telnet to your postfix server from the LAN on port 25?

    From what I understand about the postifx forwarder, in theory the only rule needed is allow port 25 inbound to allow other MTAs ot connect to the pfSense>Postfix Forwarder, then ther should be other rules required (bar postifx forwarder configuration with the next-hop MTA IP inside the package config itself).



  • The source IP of the connection from postfix to your mail server will be the IP address of the pfSense interface to which the mail server is attached.

    If 10.0.1.201 is on your LAN you need to specify the source as LAN in the port test.  Works for me with no additional rules in pfSense:

    Port Test Results:
    
    Connection to 192.168.11.2 25 port [tcp/smtp] succeeded!
    
    

    Are you sure you just put your domain and not the fully-qualified name of the mail server under the Domains tab?



  • I think I figured out what I was doing wrong… I thought that when I applied changes to multiple "Firewall" tabs I only needed to apply my changes once, in any one of the tabs.  I now realize changes can't be queued up like this and you need to apply the changes in each individual tab.

    I ended up with the following rules, which would have worked a long time ago if I had used the "Apply" function twice (once in Rules and once in NAT):

    (Firewall) IPv4 TCP * * 127.0.0.1 25 (SMTP) * none   NAT Postfix forwarder NAT rule
    (NAT) WAN TCP * * WAN address 25 (SMTP) 127.0.0.1 25 (SMTP) Postfix forwarder NAT rule

    Now it looks like there is another problem though... I see a lot of this in the logs:

    "Feb 17 08:17:59 pfsense postfix/postscreen[63012]: NOQUEUE: reject: RCPT from [209.85.214.42]:56098: 450 4.3.2 Service currently unavailable; from=<"MYTESTEMAIL">, to=<"MYWORKEMAIL">, proto=ESMTP, helo=<mail-bk0-f42.google.com>"

    For some reason some of my tests (all being sent from the same Gmail account to the same work account on my internal mail server) get through right away, others get this error and are delayed… I think this is related to the postfix forwarder tarpit-type function?  I don't remember having this problem when I had postfix forwarder running on our old firewall.</mail-bk0-f42.google.com>



  • @dreadnought:

    "Feb 17 08:17:59 pfsense postfix/postscreen[63012]: NOQUEUE: reject: RCPT from [209.85.214.42]:56098: 450 4.3.2 Service currently unavailable; from=<"MYTESTEMAIL">, to=<"MYWORKEMAIL">, proto=ESMTP, helo=<mail-bk0-f42.google.com>"

    For some reason some of my tests (all being sent from the same Gmail account to the same work account on my internal mail server) get through right away, others get this error and are delayed… I think this is related to the postfix forwarder tarpit-type function?  I don't remember having this problem when I had postfix forwarder running on our old firewall.</mail-bk0-f42.google.com>

    I went through /var/log/maillog carefully and it looks like Google is using a new IP address almost every time it hits postfix forwarder… so that's the explanation for why my tests are sometimes getting through quickly and sometimes delayed.

    Per the guide mentioned earlier in this thread, I'll do this which I think will mitigate the delays:

    "I have an entry in the custom main.cf options, on the General tab, that says "postscreen_cache_retention = 35d".  This keeps addresses for 35 days.  I use this because I want things like infrequent but friendly emailers (monthly newsletters or pfsense mailing list membership reminders) to be accepted first time, rather than soft rejected."

    [UPDATE] I've been watching the logs and I see Google has been trying to deliver an email I really need to see for over 30 minutes… it looks like a couple quick attempts, then almost 30 minutes go by, and another attempt is soft rejected.  Each time Google has had a different IP.  I'm hoping soon that the mail server Russian roulette ends up with Google attempting with one of its previous IPs.  How are other people dealing with this?  Do you turn off the soft bounce function entirely, or are these types of delays worth it to you to weed out some of the spammers?

    [SECOND UPDATE] I disabled "Soft Bounce" in the postfix forwarder configuration, but the following still occurred:

    Feb 17 10:17:47 pfsense postfix/postscreen[97751]: NOQUEUE: reject: RCPT from [209.85.219.43]:49529: 450 4.3.2 Service currently unavailable; from=<"COMPANYEMAILINGME">, to=<"MYEMAILADDRESS">, proto=ESMTP, helo= <mail-oa0-f43.google.com>Is there another postfix forwarder function other than "Soft Bounce" that will generate these things?  This is Google's 4th attempt now on delivering this email.  I checked /var/log/maillog and the IP is yet another new one.</mail-oa0-f43.google.com>



  • @dreadnought:

    [SECOND UPDATE] I disabled "Soft Bounce" in the postfix forwarder configuration, but the following still occurred:

    Feb 17 10:17:47 pfsense postfix/postscreen[97751]: NOQUEUE: reject: RCPT from [209.85.219.43]:49529: 450 4.3.2 Service currently unavailable; from=<"COMPANYEMAILINGME">, to=<"MYEMAILADDRESS">, proto=ESMTP, helo= <mail-oa0-f43.google.com>Is there another postfix forwarder function other than "Soft Bounce" that will generate these things?  This is Google's 4th attempt now on delivering this email.  I checked /var/log/maillog and the IP is yet another new one.</mail-oa0-f43.google.com>

    I have now restarted the postfix forwarder service and these soft bounces are still occurring even though "Soft Bounce" has been disabled.



  • @dreadnought:

    @dreadnought:

    [SECOND UPDATE] I disabled "Soft Bounce" in the postfix forwarder configuration, but the following still occurred:

    Feb 17 10:17:47 pfsense postfix/postscreen[97751]: NOQUEUE: reject: RCPT from [209.85.219.43]:49529: 450 4.3.2 Service currently unavailable; from=<"COMPANYEMAILINGME">, to=<"MYEMAILADDRESS">, proto=ESMTP, helo= <mail-oa0-f43.google.com>Is there another postfix forwarder function other than "Soft Bounce" that will generate these things?  This is Google's 4th attempt now on delivering this email.  I checked /var/log/maillog and the IP is yet another new one.</mail-oa0-f43.google.com>

    I have now restarted the postfix forwarder service and these soft bounces are still occurring even though "Soft Bounce" has been disabled.

    Whatever feature is responsible for soft bouncing the first IP address… it's a mess when dealing with services like Google.  Looking through /var/log/maillog, I'm seeing not only Gmails but also Google Apps customers emails taking hours to arrive.  Actually, some of these emails that I need to see and have been waiting for still have not arrived.

    I'm going to try disabling "Zombie Blocker" per:

    https://forum.pfsense.org/index.php/topic,43028.0.html

    And hope that is the function responsible for soft bouncing the first IP address.

    [UPDATE] It appears "Zombie Blocker" is the function causing the soft bounces on the first IP address.  I disabled it and I got a test email from my Gmail right away… which, no surprise, had yet another unique IP address and would have been delayed had I not disabled "Zombie Blocker."  I'm seeing these errors (lots of them) in /var/log/maillog now after disabling "Zombie Blocker":

    Feb 17 11:22:59 pfsense postfix/smtpd[53186]: warning: connect to private/anvil: Connection refused

    [SECOND UPDATE] I see "Zombie Blocker" is actually postscreen?  Disabling it kills postscreen entirely, including Anvil if it is set to be enabled with postscreen.

    Isn't there a way to just disable generating soft bounces for first-seen IP addresses in postscreen?



  • I don't know of any way to turn off just the soft bounce but postscreen is definitely the thing that stops a lot of crap from reaching your mail server.

    Google (and others) retrying from a different IP each time is a pain.  Seems there are some whitelisting workarounds out there  - using DNSBL - but I haven't gone too deeply into that.

    What I have read is that whitelisting seems to have been made a little easier with postfix 2.11.

    I don't know what plans marcelloc might have to update the package to 2.11.

    If you get a lot of traffic from gmail maybe it wouldn't take too long to collect a decent-sized postscreen cache of gmail IPs.



  • @dreadnought:

    On my LAN, 10.0.1.201 is accessible and port 25 answers… the problem is that for some reason postfix forwarder (on my firewall running pfsense) cannot forward mail to it.  If I leave my original NAT rule on for port 25 (any on port 25 to 10.0.1.201) then mail servers are able to hit my internal mail server fine through the firewall... but postfix forwarder is not in the mix in this scenario.

    When I disable that NAT rule (as the postfix forwarder instructions say to do) and add the rule I mentioned above, postfix forwarder answers on port 25, which is great... but mail never gets from postfix forwarder to 10.0.1.201.  I get the error mentioned above, which to me looks like for some reason postfix forwarder cannot "see" or connect to 10.0.1.201.  I'm not sure how else to explain.  Maybe a screenshot of my rules?

    Waking up an old topic since I got the exact same problem - I dont seem to find any solution on this in the thread…. so dreadnought did you ever found a solution to this?



  • SOLVED - listen to single LAN ip was the key.

    @planetinse:

    @dreadnought:

    On my LAN, 10.0.1.201 is accessible and port 25 answers… the problem is that for some reason postfix forwarder (on my firewall running pfsense) cannot forward mail to it.  If I leave my original NAT rule on for port 25 (any on port 25 to 10.0.1.201) then mail servers are able to hit my internal mail server fine through the firewall... but postfix forwarder is not in the mix in this scenario.

    When I disable that NAT rule (as the postfix forwarder instructions say to do) and add the rule I mentioned above, postfix forwarder answers on port 25, which is great... but mail never gets from postfix forwarder to 10.0.1.201.  I get the error mentioned above, which to me looks like for some reason postfix forwarder cannot "see" or connect to 10.0.1.201.  I'm not sure how else to explain.  Maybe a screenshot of my rules?

    Waking up an old topic since I got the exact same problem - I dont seem to find any solution on this in the thread…. so dreadnought did you ever found a solution to this?